b"Audit Report\n\n\n\n\nOIG-08-034\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS\nExaminations of Thrifts for Bank Secrecy Act and Patriot Act\nCompliance Were Often Limited\n\nMay 15, 2008\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cContents\n\nAudit Report................................................................................................... 1\n\n    Results in Brief...............................................................................................2\n\n    Background ...................................................................................................7\n\n    Findings ....................................................................................................12\n\n        OTS Examiners Often Performed Limited Examinations to Evaluate\n        BSA and Patriot Act Compliance................................................................12\n\n        OTS Examiners Did Not Consistently Cite a Violation When Written BSA\n        Program Elements Were Missing ................................................................31\n\n    Recommendations ........................................................................................36\n\nAppendices\n\n    Appendix     1:      Objective, Scope, and Methodology .........................................39\n    Appendix     2:      Management Response ..........................................................42\n    Appendix     3       Major Contributors to This Report ............................................47\n    Appendix     4:      Report Distribution.................................................................48\n\nAbbreviations\n\n    AML         anti-money laundering\n    BSA         Bank Secrecy Act\n    CDD         Customer Due Diligence\n    CIP         Customer Identification Program\n    CTR         Currency Transaction Report\n    ECEF        Electronic Continuing Examination Folder\n    FFIEC       Federal Financial Institutions Examination Council\n    FinCEN      Financial Crimes Enforcement Network\n    MSB         money services business\n    OTS         Office of Thrift Supervision\n    ROE         Report of Examination\n    SAR         Suspicious Activity Report\n\n\n\n\n                         TERRORIST FINANCING/ MONEY LAUNDERING: OTS Examinations of Thrifts for              Page i\n                         Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c           This page intentionally left blank.\n\n\n\n\nTERRORIST FINANCING/ MONEY LAUNDERING: OTS Examinations of Thrifts for        Page ii\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                                                                                      Audit\nOIG\nThe Department of the Treasury\n                                                                                      Report\nOffice of Inspector General\n\n\n                     May 15, 2008\n\n                     John M. Reich\n                     Director\n                     Office of Thrift Supervision\n\n                     As regulator of the thrift industry, the Office of Thrift Supervision\n                     (OTS) charters federal savings and loan associations, adopts\n                     regulations governing the operation of the thrift industry, conducts\n                     examinations of federal and state-chartered savings institutions and\n                     their holding companies, and supervises compliance with federal\n                     laws and regulations and OTS directives. In fiscal year 2006, OTS\n                     supervised 853 savings associations, with assets totaling $1.6\n                     trillion, and 481 holding companies, with assets totaling\n                     approximately $7.7 trillion.\n\n                     OTS examines thrifts for safety and soundness and for compliance\n                     with consumer laws. OTS also examines thrifts for compliance\n                     with the Bank Secrecy Act (BSA)1 and title III of the USA PATRIOT\n                     Act (Patriot Act).2 (Hereafter we refer to these examinations jointly\n                     as BSA examinations.) OTS combines safety and soundness and\n                     compliance examinations and produces one report of examination\n                     (ROE) that contains the results. OTS reported that it conducted\n                     1,272 BSA examinations and cited over 262 thrifts for violations\n                     from January 2005 through September 2006. Most violations were\n                     remedied during the examination process, though 40 enforcement\n                     actions were initiated.\n\n                     The objective of our audit was to determine whether OTS\xe2\x80\x99s\n                     examination coverage was sufficient to determine thrift compliance\n                     with BSA and the Patriot Act. We also reviewed how OTS reported\n                     the results of its examinations to ensure that thrifts took\n                     appropriate corrective actions for noncompliance with BSA. Using\n                     OTS\xe2\x80\x99s guidance for conducting and reporting BSA examinations,\n\n1\n  Pub. L. No. 91-508 (codified, as amended, at 12 U.S.C. \xc2\xa7 1829b; 12 U.S.C. \xc2\xa7\xc2\xa7 1951-1959; 31\nU.S.C. \xc2\xa7 5311 et seq.).\n2\n  Pub. L. No. 107-56. The acronym USA PATRIOT stands for \xe2\x80\x9cUniting and Strengthening America by\nProviding Appropriate Tools Required to Intercept and Obstruct Terrorists.\xe2\x80\x9d\n\n                     TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 1\n                     Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       we reviewed the most current examinations conducted by OTS\xe2\x80\x99s\n                       four regions for a sample of 95 thrifts.3 Upon selecting current\n                       examinations for review that covered the period of calendar years\n                       2004 through 2006, we requested and reviewed the examinations\n                       performed just prior to these examinations, usually 12 to 18\n                       months earlier, to compare the scope of both examinations and\n                       determine whether problems previously identified in the BSA\n                       program had been corrected. We also interviewed the examiners\n                       for the sampled thrifts to discuss our observations relative to the\n                       reviewed examinations. We conducted our fieldwork from January\n                       2006 through July 2007. Appendix 1 contains a more detailed\n                       description of audit objectives, scope, and methodology.\n\n\nResults in Brief\n                       We found that OTS examiners often performed limited\n                       examinations of thrifts to evaluate BSA and Patriot Act compliance.\n                       For 82 of the 95 thrifts, we found in the most recent examinations\n                       we reviewed that examiners did not evaluate whether significant\n                       compliance program elements had been implemented by thrifts.\n                       The examiners frequently accepted that the thrift programs were\n                       up to standard because the thrifts had policies and procedures in\n                       place for certain BSA and Patriot Act program areas, without\n                       determining the manner in which these policies and procedures\n                       were implemented. In other cases, examiners did not fully\n                       understand the new provisions which were added to the BSA with\n                       the enactment of the Patriot Act. This resulted in limited reviews,\n                       or no additional testing in situations that posed a potential risk to\n                       the thrift. Areas in which examinations were limited included\n                       314(a) information sharing,4 customer identification programs\n\n3\n  Our original sample was to have included 100 thrifts - 40 in the Northeast, 20 in each of the Midwest\nand Southeast regions, and 20 in the West. In the Northeast, we reported our results for only 37 thrifts,\nbecause 3 thrifts had examinations that were conducted by the state of Ohio under an alternating\nexamination agreement with OTS. In the West, we reported our results for only 18 thrifts because 1\nthrift\xe2\x80\x99s most current examination was a limited review conducted to assess the thrift\xe2\x80\x99s compliance with\nprovisions of an enforcement order and for 1 thrift, our random sample yielded 2 examinations for the\nsame institution.\n4\n  Section 314(a) of the Patriot Act, with implementing regulations published in 31 CFR Part 103.100,\nprovides for a sharing of information between a financial institution and a federal law enforcement\nagency investigating terrorist activity or money laundering. FinCEN presents the request for information\nto the financial institution which is required to expeditiously search its records to determine whether it\nmaintains or has maintained any account related to the subject of the request.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 2\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       (CIP),5 customer due diligence (CDD) activities, 6 and separation of\n                       duties of thrift officials who perform independent testing or day-to-\n                       day BSA functions and are also responsible for the administration,\n                       oversight, direction and monitoring of the thrift\xe2\x80\x99s compliance\n                       program. By not evaluating whether program elements were\n                       implemented, we believe examiners could draw incorrect\n                       conclusions about the effectiveness of thrift programs.\n\n                       For each thrift in our sample, we also found that at least one or\n                       more BSA compliance examination areas lacked evidence of review\n                       or the examiner\xe2\x80\x99s assessment of work that was warranted in the\n                       particular BSA compliance area. OTS guidance requires examiners\n                       to document in their workpapers the judgments made during\n                       examinations and the basis for selecting areas subject to review.7\n                       We found that the review of a thrift\xe2\x80\x99s electronic banking activities,\n                       specifically Internet banking, most often lacked evidence of\n                       examiner review. Also, although OTS\xe2\x80\x99s information technology\n                       group examines the authentication processes8 at thrifts, the\n                       information technology group does not routinely share the results\n                       of the examinations with compliance examiners. Problems with\n                       authentication processes may affect the adequacy of BSA controls.\n\n                       In addition, we found that OTS\xe2\x80\x99s regions were inconsistent when\n                       reporting findings regarding outdated or incomplete written BSA\n\n\n5\n  Section 326 of the Patriot Act of 2001, with implementing regulations published in 31 CFR 103.121,\nrequires institutions to implement a CIP when accounts are opened. The CIP requires that reasonable\nprocedures be established by institutions for verifying the identity of any person seeking to open an\naccount and for maintaining records of the information used to verify the person\xe2\x80\x99s identity. Procedures\nshould also include a determination of whether the person appears on any lists of known or suspected\nterrorists or terrorist organizations issued by any federal government agency.\n6\n  Section 312 of the Patriot Act, added a new subsection (i) to 31 USC 5318 of the BSA with\nimplementing regulation published at 31 CFR 103.181 at July 23, 2002 through January 4, 2006\nfollowed by 31 CFR 103.176 and 31 CFR 103.178. These regulations require an institution to maintain\na due diligence program with policies, procedures, and controls that are reasonably designed to detect\nand report any known or suspected money laundering or suspicious activity conducted or involving\ncertain accounts managed by the institution as part of its anti money laundering program.\n7\n  OTS\xe2\x80\x99s examination handbook also states that conclusions made about the effectiveness of the OTS\nexamination process are in part determined by the adequacy of workpaper documentation. The\ndocumentation of procedures and subsequent conclusions in the examination program leaves an\neffective audit trail for users of the completed programs.\n8\n  Authentication processes are used to validate the identity of the thift\xe2\x80\x99s account holders who are\naccessing Internet-based financial services.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 3\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                         programs, in some cases representing the findings as\n                         recommendations for enhancement and in other cases as BSA\n                         violations. OTS guidance states that required elements that are\n                         missing from written BSA programs should be considered violations\n                         and entered as such into OTS examination system records and\n                         ROEs. We also observed that OTS\xe2\x80\x99s Midwest and Southeast\n                         regions used a standard form that identified violations cited in the\n                         examinations to ensure they were properly reported, which made it\n                         easier to trace examination findings from the workpapers to the\n                         ROE and OTS\xe2\x80\x99s Electronic Continuing Examination Folder (ECEF). 9\n\n                         We are recommending that the Director of OTS (1) reinforce the\n                         need for examiners to adhere to existing BSA examination related\n                         guidance, and assess if it is necessary to provide supplemental\n                         guidance and training to ensure examination consistency and\n                         documentation of examinations; (2) for thrifts that offer electronic\n                         banking services, have compliance examiners consult with\n                         examiners performing information technology examinations to\n                         determine if there are additional BSA-related risks; and (3) provide\n                         guidance to examiners to ensure they consistently cite thrifts for\n                         violations when their written BSA programs are missing required\n                         elements.\n\n                         OTS Response and OIG Comments\n\n                         In a written response to this report, which is included as\n                         appendix 2, OTS\xe2\x80\x99s Deputy Director, Examinations, Supervision and\n                         Consumer Protection, stated that in general OTS concurred with\n                         our three recommendations and has mechanisms in place to\n                         address them. In this regard, OTS provides on-going BSA training\n                         to examiners through internal and external conferences, meetings,\n                         and examiner schools, and will reinforce the need for examiners to\n                         adhere to existing BSA examination guidance and assess whether\n                         supplemental guidance is necessary. OTS will implement a process\n                         to ensure that compliance examiners consult with information\n                         technology examiners to determine if there are BSA-related risks at\n                         particular institutions. Furthermore, OTS is also currently working\n                         with the other federal banking agencies to issue interagency\n                         guidance on BSA violations which is intended to ensure additional\n\n\n9\n    ECEF is an Intranet-based OTS system for storing and relating documents related to a particular thrift.\n\n                         TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 4\n                         Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cconsistency among the federal banking agencies when citing\nviolations. Additionally, OTS is enhancing an existing program\nthrough which BSA violations are discussed among managers to\nensure consistent supervisory responses. The steps OTS has taken\nor planned meet the intent of our recommendations.\n\nThe Deputy Director, however, took exception to our\ncharacterization of BSA examinations as limited. He said the\nexaminations are risk-focused and that the scope of the BSA\nexamination is tailored at each savings association by considering\nan association\xe2\x80\x99s demonstrated ability to manage BSA compliance\nresponsibilities, the association\xe2\x80\x99s track record, and any changes\nthat have occurred since the prior examination. Examiners are\ninstructed to, at a minimum, use the core examination minimum\nprocedures to ensure that the institution has an adequate BSA\ncompliance program. He stated that OTS examiners are instructed\nto include work paper information that is relevant to support critical\nor adverse examination findings in the ROE. Examiners only include\ndocumentation consistent with the risks associated with the\nreviewed areas and are instructed to complete and file only those\ndocuments where work was performed in areas applicable to the\nexamination. The Deputy Director said that examiners do not\ndocument areas that are not applicable to the examination\nprogram, because documenting why certain examination areas do\nnot apply to an association would significantly increase\nexamination time and burden on the industry.\n\nWe agree that examiners should not create unnecessary work\npaper documentation. However, OTS\xe2\x80\x99s own guidance states that\nexaminers should document in their work papers the judgments\nthey make during examinations and the basis for selecting areas to\nreview. The guidance also states that the effectiveness of OTS\xe2\x80\x99s\nexamination process is in part reflected in the adequacy of work\npaper documentation. Moreover, we looked for evidence that\nexaminers assessed risk when conducting their examinations,\neither in the work paper documentation or in a formal risk\nassessment prepared by either the thrift or the examiner, and often\nfound no evidence that risk was assessed.\n\nIn addition, the Deputy Director commented on the significant\nexpansion of BSA and Patriot Act regulatory requirements during\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 5\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cthe time period of our audit and changes in examination guidance\nincluded in the Federal Financial Institutions Examination Council\nmanual that was issued in June 2005 and updated in 2006 and\n2007. He said that not every statement in the manual can be\nconstrued as a regulatory requirement. He illustrated this point by\nreferring to CDD requirements and dual controls and separation of\nduties, which he said are not regulatory requirements.\n\nOn the topic of CDD, the Deputy Director said that CDD as\nrequired by Section 312 of the Patriot Act refers specifically to\ncorrespondent accounts for foreign financial institutions and private\nbanking accounts for non-U.S. persons. He stated that (1) Section\n312 account activity is not common to savings associations,\n(2) the examples in our report do not relate to CDD required by\nSection 312, and (3) customer due diligence expectations would\nfollow risk based principles as other areas of the BSA.\n\nRegarding dual controls and separation of duties, the Deputy\nDirector noted that with the exception of the requirement that a\nsavings association conduct an independent test of its BSA/AML\ncompliance program, there is no regulatory requirement, only a\nrecommended best practice.\n\nWe agree that the Deputy Director is correct in his assessment of\nCDD and dual controls and separation of duties. As appropriate, we\nclarified some of the wording in our report related to this\ndiscussion. We also realize the examination manual is not to be\nconstrued as a regulatory requirement. However, the manual\nrepresents the collective effort of all of the federal banking\nagencies, the Financial Crimes Enforcement Network and the Office\nof Foreign Assets Control of what constitutes an adequate and\nappropriate examination and what should be documented. We used\nthe manual\xe2\x80\x99s more expansive views of what constitutes appropriate\nCDD and internal controls in evaluating the adequacy of OTS\xe2\x80\x99s\nexamination coverage.\n\nIn this regard, the manual provides guidance as a best practice for\nan overall due diligence program to assess the appropriateness and\ncomprehensiveness of the bank\xe2\x80\x99s CDD policies, procedures and\nprocesses for obtaining customer information and assessing the\nvalue of this information in detecting, monitoring, and reporting\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 6\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                      suspicious activity while still defining regulatory requirements of\n                      Section 312 of the Patriot Act. While we cannot comment as to\n                      the degree correspondent accounts for foreign financial institutions\n                      and private banking accounts for non-U.S. persons are common or\n                      not common to savings associations, it should be noted that there\n                      were thrifts in our sample that had customers who potentially\n                      posed a risk to the institutions where CDD is an appropriate\n                      control. These customers included money services businesses and\n                      foreign individuals and businesses. For the sampled thrifts, we\n                      found that examiner BSA coverage was not always sufficient to\n                      ensure that the thrifts had appropriate CDD processes to address\n                      these risks.\n\n                      The manual also addresses internal controls and states that a\n                      financial institution should provide for dual controls and segregation\n                      of duties, and employees who complete the reporting forms (e.g.,\n                      suspicious activity reports, currency transaction reports and\n                      currency transaction report exemptions) should not also be\n                      responsible for filing the reports or granting the exemptions.\n                      We noted thrifts in each of the OTS regions in which a compliance\n                      officer or BSA officer also performed day-to-day BSA functions, or\n                      the compliance officer was the same person as the BSA officer,\n                      but the examiners did not raise a concern or indicate the\n                      compensating controls to mitigate the lack of segregation of duties.\n\n                      The Deputy Director concluded his response by stating among\n                      other things that OTS is committed to ensuring that savings\n                      associations are in compliance with BSA/AML requirements and\n                      that OTS has devoted significant resources in this area.\n\nBackground\n                      OTS examines thrifts for safety and soundness and to ensure\n                      compliance with various laws, including BSA and the Patriot Act. 10\n\n10\n  OTS was created when the Financial Institutions Reform, Recovery, and Enforcement Act of 1989\nabolished the Federal Home Loan Bank Board and transferred all examination and supervisory activities\nto OTS under the Department of the Treasury. OTS\xe2\x80\x99s primary statutory authority is the Home Owners\xe2\x80\x99\nLoan Act, enacted in 1933 to help stabilize the real estate market which had depreciated significantly\nduring the Depression. Thrifts were originally established to promote personal savings through deposit\naccounts and homeownership through mortgage lending. Although lending for home mortgages remains\na significant activity, thrifts now offer many other services.\n\n                      TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 7\n                      Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       On April 11, 2002, the OTS Director announced an initiative to\n                       improve the examination process by combining safety and\n                       soundness and compliance into one examination. Instead of using\n                       two separate examination teams, OTS now conducts a single,\n                       comprehensive examination with one team, producing one ROE.\n                       The BSA examination is part of the compliance examination, which\n                       also reviews consumer protection and other required program\n                       components. An overall compliance rating from 1 (best) to 5\n                       (worst) is assigned to the thrift following the examination.\n\n                       Thrifts are required to establish and maintain a program to monitor\n                       compliance with BSA and title III of the Patriot Act.11 Each thrift is\n                       to develop and provide for the continued administration of a\n                       written program approved by the thrift\xe2\x80\x99s board of directors and\n                       reasonably designed to assure and monitor compliance with BSA\n                       regulations. At a minimum, the program must (1) provide for a\n                       system of internal controls to ensure ongoing compliance,\n                       (2) provide for independent testing by in-house personnel or an\n                       outside party, (3) designate the individual(s) responsible for\n                       coordinating and monitoring day-to-day compliance, and (4) provide\n                       training for appropriate personnel.\n\n                       Under BSA, thrifts are required to file a Currency Transaction\n                       Report (CTR) for each cash transaction exceeding $10,000 (unless\n                       a specific exemption applies) and a Suspicious Activity Report\n                       (SAR) when they detect a known or suspected transaction related\n                       to a money laundering activity or other violation.12\n\n                       In August 2004, OTS incorporated the review of thrifts\xe2\x80\x99\n                       compliance with the requirements of title III of the Patriot Act into\n                       its BSA examination procedures. These requirements include\n                       implementation of a CIP to verify customer identity; implementation\n                       of a CDD program,13 and sharing of information with law\n                       enforcement agencies and other financial institutions.\n\n11\n  12 C.F.R. 563.177.\n12\n  12 CFR 563.180.\n13\n   FinCEN stated through 67 Federal Register 48348 dated July 23, 2002 that Section 312 took effect\nJuly 23, 2002, whether or not Treasury had issued a final rule implementing the provision. Accordingly\nFinCEN issued an interim final rule promulgated at 31 CFR 103.181 effective July 23, 2002, that banks\nmust comply with 31 USC 5318(i) pending Treasury\xe2\x80\x99s issuance of a final rule. For banks, this interim\nfinal rule stated that anti-money laundering programs are to include special due diligence programs for\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 8\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       OTS\xe2\x80\x99s regions\xe2\x80\x94the Northeast, Midwest, Southeast, and West\xe2\x80\x94are\n                       required to conduct a full-scope, onsite examination of each thrift\n                       they oversee every 12 or 18 months, depending on the thrift\xe2\x80\x99s\n                       asset size and compliance rating. 14 Institutions with both assets\n                       over $500,000 and higher risk compliance ratings are generally\n                       examined every 12 months, while institutions with less assets and\n                       risk are scheduled at least every 18 months for an examination.\n\n                       OTS\xe2\x80\x99s Northeast and Midwest regions have written agreements\n                       with several states to take turns conducting the examinations\n                       scheduled each examination cycle. In states in which examinations\n                       alternate between OTS and the state, OTS has to ensure that the\n                       continuity of BSA examinations is not disrupted, which could affect\n                       whether issues are appropriately followed up on for corrective\n                       action. According to OTS, examiners generally rely on the states\xe2\x80\x99\n                       ROEs for the results of the state compliance examinations. The\n                       written agreements between OTS\xe2\x80\x99s Northeast and Midwest regions\n                       allow OTS to obtain the states\xe2\x80\x99 workpapers for review. By\n                       reviewing state ROEs and accompanying workpapers, OTS\n                       examiners can determine the completeness of the BSA examination\n                       conducted by the state, review any areas documented, and\n                       establish the scope of any necessary follow-up examinations\n                       conducted by OTS.\n\n                       In June 2005, the Federal Financial Institutions Examination\n                       Council (FFIEC), of which OTS is a member agency, issued the\n                       Bank Secrecy Act/Anti-Money Laundering Manual (BSA/AML\n\n\n\nfinancial institutions that included thrift institutions. The 31 USC 5318(i) requires U.S. financial\ninstitutions to establish due diligence policies, procedures, and controls reasonably designed to detect\nand report money laundering through correspondent accounts and private banking accounts that U.S.\nfinancial institutions establish or maintain for non-U.S. persons. A correspondent account is an account\nestablished to receive deposits from, make payment on behalf of a foreign financial institution or handle\nother financial transactions related to such institution. A private banking account is an account or\ncombination of accounts that (1) requires a minimum aggregate deposit of funds or other assets of not\nless than $1 million, (2) is established on behalf of one or more individuals who have a direct or\nbeneficial ownership interest in the account, and (3) is assigned to, or is administered or managed by an\nofficer, employee or agent of a financial institution and the direct or beneficial owner of the account.\n14\n   When we initiated our review, OTS had four regions. A fifth OTS region was established in April\n2007 and officially opened in July 2007. Designated the Central region, it is responsible for oversight of\nthrifts and their holding companies in Ohio, Illinois, Indiana, Wisconsin, and Michigan.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for         Page 9\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       manual).15 The FFIEC BSA/AML manual provides comprehensive\n                       guidance for federal bank regulators to follow when conducting\n                       BSA examinations. BSA guidance in the FFIEC BSA/AML manual\n                       was prepared collaboratively by the federal banking agencies and\n                       the Financial Crimes Enforcement Network (FinCEN). The manual\n                       provides explanatory material related to BSA, anti-money\n                       laundering, and terrorist financing, and a detailed set of\n                       examination steps to ensure that complete and consistent BSA\n                       examinations are conducted. FFIEC issued updates of the manual in\n                       2006 and 2007.\n\n                       The FFIEC manual\xe2\x80\x99s minimum examination procedures for\n                       BSA/AML are scoping and planning for the examination, a\n                       BSA/AML risk assessment, a BSA/AML compliance program\n                       review, and the development of conclusions to finalize the\n                       examination. The FFIEC BSA/AML manual contains additional core\n                       examination procedures which OTS officials told us are not\n                       required for every examination but are selected by the examiner\n                       based on the scope of the examination. OTS officials stated that\n                       the minimum procedures provide examiners with sufficient\n                       flexibility to tailor the procedures based on risk. In addition,\n                       examiners are provided expanded examination procedures for areas\n                       such as electronic banking and money services businesses (MSB)\n                       that are used based on the risks identified at the thrift.\n\n                       The core procedures include the following sections as described:\n\n                       \xe2\x80\xa2   Customer Identification Program (CIP) - assess the institution\xe2\x80\x99s\n                           compliance with the statutory and regulatory requirements for\n                           CIP.\n\n                       \xe2\x80\xa2   Customer Due Diligence (CDD) - assess the appropriateness and\n                           comprehensiveness of the institution\xe2\x80\x99s CDD policies,\n                           procedures, and processes for obtaining customer information\n                           and assess the value of this information in detecting,\n                           monitoring, and reporting suspicious activity.\n\n\n\n15\n  FFIEC, established under title X of the Financial Institutions Regulatory and Interest Rate Control Act\nof 1978, is a formal interagency body empowered to prescribe uniform principles, standards, and report\nforms for the examination of financial institutions by the federal bank regulators.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 10\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                        \xe2\x80\xa2   Suspicious Activity Reporting - assess the institution\xe2\x80\x99s policies,\n                            procedures, and processes and overall compliance with the\n                            statutory and regulatory requirements for monitoring, detecting,\n                            and reporting suspicious activity.\n\n                        \xe2\x80\xa2   Currency Transaction Reporting - assess the institution\xe2\x80\x99s\n                            compliance with statutory and regulatory requirements for\n                            reporting large currency transactions.\n\n                        \xe2\x80\xa2   Currency Transaction Reporting Exemptions - assess the\n                            institution\xe2\x80\x99s compliance with statutory and regulatory\n                            requirements for exemptions from the currency transaction\n                            reporting requirements.\n\n                        \xe2\x80\xa2   Information sharing - assess the institution\xe2\x80\x99s compliance with\n                            statutory and regulatory requirements for section 314\n                            information requests.\n\n                        \xe2\x80\xa2   Purchase and Sale of Monetary Instruments - assess the\n                            institution\xe2\x80\x99s compliance with statutory and regulatory\n                            requirements for the recording of information required for the\n                            purchase and sale of monetary instruments for currency in the\n                            amounts between $3,000 and $10,000, inclusive.\n\n                        \xe2\x80\xa2   Funds Transfers - assess the institution\xe2\x80\x99s compliance with\n                            statutory and regulatory requirements for funds transfers.\n\n                        OTS can take enforcement action when warranted to ensure\n                        compliance with laws and regulations.16 OTS uses informal (non-\n                        public) and formal enforcement action. Informal enforcement action\n                        is generally used if the thrift\xe2\x80\x99s overall condition is sound; however,\n                        it is necessary to obtain the thrift\xe2\x80\x99s board of directors or\n                        management\xe2\x80\x99s written commitment to correct problems and\n                        weaknesses. Formal enforcement action, such as a cease and\n                        desist order, is used when a thrift has significant compliance\n                        problems, especially when there is a threat of harm to the\n                        association, depositors, or the public. OTS publishes formal\n                        enforcement actions on its website.\n\n\n\n16\n     OTS\xe2\x80\x99s Regulatory Handbook, Section 371, (June 2003).\n\n                        TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 11\n                        Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cFindings\n\nFinding 1   OTS Examiners Often Performed Limited Examinations to\n            Evaluate BSA and Patriot Act Compliance\n\n            For the thrifts in our sample, we found that examiners often\n            performed limited BSA examinations and did not always evaluate,\n            through transaction testing or other means, whether significant\n            BSA and Patriot Act compliance program elements had been\n            implemented. We also could not determine whether examiners\n            reviewed certain high risk issues, such as transactions involving\n            MSBs and electronic banking, because examiner workpapers did\n            not sufficiently document evidence of work performed or\n            examiner\xe2\x80\x99s judgment as to whether a review of these BSA\n            compliance areas was warranted.\n\n            BSA Examination Procedures Require an Adequate Assessment of\n            BSA Compliance\n\n            In July 2005, OTS began using the FFIEC BSA/AML manual for its\n            BSA examinations. It provides for a standard format to guide\n            examiners through examinations and to document results. Before\n            release of the FFIEC BSA/AML manual, OTS\xe2\x80\x99s BSA examination\n            guidance was contained in the OTS Examination Handbook,\n            Section 1400, Compliance Oversight Examination Program. The\n            OTS guidance did not mandate a standard examination format.\n\n            Both the old guidance and the current FFIEC guidance, however,\n            require that examiners adequately assess a thrift\xe2\x80\x99s BSA compliance\n            program. An adequate assessment of a thrift\xe2\x80\x99s BSA compliance\n            program requires examiners to determine whether the thrift\xe2\x80\x99s\n            internal BSA compliance program has been appropriately designed\n            and implemented. The guidance states that the thrift\xe2\x80\x99s program\n            should be written, include appropriate internal controls, assign\n            responsibility to a BSA officer, provide for independent audit of the\n            program and include employee training on BSA policies,\n            procedures, processes, and regulatory requirements.\n\n            OTS stressed in its internal guidance that examiners perform a risk-\n            based examination that emphasizes the thrift\xe2\x80\x99s demonstrated ability\n\n\n            TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 12\n            Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       to manage its compliance responsibilities. Using the risk-based\n                       focus, OTS examiners refine the scope of their compliance\n                       examinations by considering factors such as a thrift\xe2\x80\x99s risk profile.17\n                       OTS examiners are instructed to minimize time spent on areas in\n                       which the compliance systems appear strong and the likelihood of\n                       problems of noncompliance is extremely small or nonexistent. They\n                       are instructed to document in their workpapers the judgments they\n                       make and their basis for selecting the operations, products, or\n                       regulatory areas subject to review.\n\n                       The 2005 FFIEC BSA/AML manual put more emphasis on risk\n                       assessment and provides general guidance to examiners for\n                       conducting these assessments. Although no particular format is\n                       specified, the risk assessment should cover the areas of the thrift\xe2\x80\x99s\n                       business that are most vulnerable to noncompliance with BSA and\n                       Patriot Act requirements. The guidance further states that if the\n                       thrift does not perform the risk assessment, then the examiner\n                       should.\n\n                       To provide guidance on the FFIEC BSA/AML manual examination\n                       procedures, OTS senior management issued a July 2005\n                       memorandum18 to the examiner staff. In the description of the\n                       procedures included in the manual, the memorandum provided\n                       guidance for transaction testing in the BSA examinations. It stated\n                       that transaction testing is required at each examination. This\n                       testing can be conducted by utilizing the results of the thrift\xe2\x80\x99s\n                       independent testing procedures or by completing any of the\n                       transaction testing procedures provided in the examination manual.\n                       The memorandum stated that the examiner staff may limit the\n                       scope of the transaction testing if the (1) independent test review\n                       was comprehensive and no significant findings were made;\n                       (2) examiner has no concern with the thrift\xe2\x80\x99s BSA compliance\n                       program; and (3) thrift has a history of strong compliance.19\n\n\n17\n   Among the factors OTS guidance cites for identifying a thrift\xe2\x80\x99s risk profile are changes to or\nexpansions of business operations and strategies; substantive changes to compliance policies,\nprocedures, systems, or controls; extent of regulatory violations or deficiencies and corrective actions in\nreports to management and the board; and areas where the thrift and similarly situated thrifts\nexperienced problems.\n18\n   New Directions 05-05, FFIEC BSA/AML Examination Manual, (July 2005).\n19\n   An examiner from the West region stated that this region did not start using the formatted FFIEC\nprocedures until 2006. In 2005, the region created its own checklist to be used for its BSA\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 13\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                      The subsequent versions of the FFIEC BSA/AML manual issued in\n                      2006 and 2007 provided more emphasis on the importance of\n                      transaction testing in the BSA examinations. The updated manuals\n                      stated that transaction testing is an important factor in forming\n                      conclusions about the integrity of the bank\xe2\x80\x99s overall controls and\n                      risk management processes and should be performed during each\n                      examination. The extent of transaction testing conducted should be\n                      based on such factors as examiner\xe2\x80\x99s judgment of risks, controls,\n                      and the adequacy of independent testing.\n\n                      OTS Examiners Frequently Limited Work Performed to Evaluate\n                      Implementation of BSA Compliance\n\n                      For 82 of 95 thrifts we reviewed, or 86 percent, we found that\n                      examiners in the most recent examinations performed limited\n                      reviews of thrift BSA compliance programs. Table 1 provides the\n                      number of thrifts by region with limited BSA examinations and the\n                      percentage of the thrifts in our sample.\n\n                         Table 1: Number and Percent of Thrifts by Region\n                                  With Limited BSA Examinations\n\n                                                     Northeast   Southeast   Midwest      West     Total\n                          Number of thrifts in our\n                                                           37          20         20       18         95\n                          sample\n                          Number of thrifts with\n                          limited BSA                      33          17         17       15         82\n                          examinations\n                          Percent of thrifts with\n                          limited BSA                      89          85         85       83         86\n                          examinations\n\n\n                         Source: OIG review of OTS BSA examination workpapers and ROEs.\n\n\n                      We found examiners limiting their reviews to determining if the\n                      thrifts had BSA policies and procedures for information sharing and\n                      CIP requirements, accepting thrift assurances that they knew their\n\n\n\nexaminations that incorporated the steps outlined in the FFIEC BSA/AML manual. We found that the\nregion\xe2\x80\x99s checklist did address all areas of review presented in the FFIEC BSA/AML manual.\n\n\n                      TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 14\n                      Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       customers, confusing CDD20 with CIP, and not following through to\n                       identify mitigating factors when thrifts did not maintain dual\n                       controls.21\n\n                       Table 2 summarizes our findings, by region, of reasons for the\n                       limited examinations. For the majority of the thrifts, examiners\n                       assessed compliance only by verifying the existence of policies and\n                       procedures for information sharing and CIP requirements. In these\n                       cases, we did not find evidence of how the examiners were\n                       satisfied that the thrift was properly implementing these policies\n                       and procedures. At some of the thrifts we found that policies and\n                       procedures for information sharing and CIP were addressed in\n                       independent audit work; however, in several cases we did not see\n                       evidence of this.\n\n\n\n\n20\n   In the examinations we discuss in this section, when we did not see evidence that the examiners\nreviewed for compliance with 31 CFR 103.181 which refers specifically to correspondent and private\nbanking accounts, we asked examiners what work was performed for CDD. The examiners provided\nresponses that addressed customer due diligence in general terms. The 2005 FFIEC BSA/AML manual\nprovided guidance for an overall due diligence program to assess the appropriateness and\ncomprehensiveness of the bank\xe2\x80\x99s customer due diligence policies, procedures and processes for\nobtaining customer information and assessing the value of this information in detecting, monitoring, and\nreporting suspicious activity while still defining regulatory requirements of Section 312 of the Patriot\nAct.\n21\n   Dual controls exist when the individual performing a procedure is different from the individual\nmonitoring the performance. For example, the individual who files SARs at a thrift is different from the\nindividual monitoring the filing.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 15\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cTable 2: Reasons for Limited BSA Examination Procedures\n         by Region in the Most Recent Examination\n\n Reason                    Northeast      Midwest    Southeast        West       Total\n Number of thrifts with\n limited BSA                       33           17           17         15         82\n examinations\n Limited information\n sharing review to\n                                   20           15           15         11         61\n policies and\n procedures\n Limited CIP review to\n policies and                      24           13             8        10         55\n procedures\n Examination\n procedures not\n performed because\n                                    4            1             5          1        11\n the thrift assured\n examiners that it\n knew its customers\n Uncertain about CDD\n                                    3            1             1          2          7\n requirements\n Acceptance that dual\n controls and\n                                    4            2             2          0          8\n separation of duties\n are not maintained\n\nSource: OIG review of OTS BSA examination workpapers and ROEs.\n\nNote: These columns, if added, would total more than the number of thrifts in our\n      sample. That is because many of the thrift BSA examinations were limited by more\n      than one reason.\n\n\nWhen we found limitations in the most recent examination of a\nthrift, we also reviewed the prior examination to determine whether\nthe scope of the previous examination was similarly limited. For\ninformation sharing and CIP, we found that over one third of the\nthrifts had been reviewed only for the existence of policies and\nprocedures for two consecutive examinations. More specifically, in\nreviewing the examinations conducted just prior to the current\nexaminations, which altogether covers a period of about 2 to 3\nyears, we found that for 38 thrifts, examiners reviewed only the\nexistence of information sharing and CIP policies and procedures,\nrespectively. By reviewing only the existence of policies and\nprocedures, the examiners concluded that these aspects of the\nthrift compliance programs were up to standard. We also found\nseveral thrifts for which examiners did not perform a review of\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 16\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                     CDD because the thrift assured them that it knew its customers or\n                     examiners did not fully understand CDD and confused it with CIP.\n                     In addition, we found thrifts for which examiners failed to identify\n                     mitigating factors associated with insufficient separation of duties.\n\n                     The following sections discuss the elements of the above table in\n                     more detail.\n\n                     Testing of Compliance With Information Sharing Requirements Was\n                     Often Limited\n\n                     According to the BSA regulations,22 the thrift shall expeditiously\n                     search its records to determine if it maintains or has maintained\n                     any account for, or engaged in transactions with the individual,\n                     entity, or organization named in FinCEN\xe2\x80\x99s request. If the thrift does\n                     have this information, it is to be reported to FinCEN in the manner\n                     and time frame specified in FinCEN\xe2\x80\x99s request.\n\n                     Although not a regulatory requirement, the core procedures for\n                     information sharing in the FFIEC BSA/AML manual includes a step\n                     to review the adequacy of the thrift\xe2\x80\x99s documentation to provide\n                     evidence of compliance with section 314(a) requests. This is in\n                     addition to the primary objective for determining the existence of\n                     policies, procedures and processes for 314(a) requests. This\n                     documentation includes copies of the 314(a) requests, a log with\n                     tracking numbers and sign off columns to show the records were\n                     checked, the date of the search, and search results. In addition, the\n                     manual states that copies of information returned to FinCEN along\n                     with supporting documentation should be retained by the thrift.\n\n                     We reviewed examiner workpapers concerning thrift compliance\n                     with information sharing provisions of the Patriot Act and\n                     discussed testing performed with examiners. We found that their\n                     tests were frequently limited. For 61 of 95 thrifts in our sample we\n                     found that examiners reviewed only the written policies and\n                     procedures for the thrift\xe2\x80\x99s section 314(a) information sharing\n                     programs in their current examinations. Reviewing written policies\n                     and procedures, however, does not ensure that the thrift is\n                     contacting FinCEN in a timely manner in response to a search of its\n\n\n22\n     31CFR103.100.\n\n                     TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 17\n                     Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                        records for suspect names, account numbers, and other identifying\n                        information as required by regulation. For 4 of 95 thrifts in our\n                        sample we saw no evidence of examiner review of this compliance\n                        area. For the other 30 thrifts in our sample, we found adequate\n                        reviews of this compliance area were made. Examiners either\n                        reviewed thrift records and processing of requests or reviewed\n                        independent audit work to determine if FinCEN was properly\n                        contacted and records of FinCEN\xe2\x80\x99s requests and the thrift\xe2\x80\x99s\n                        responses to these requests were maintained.\n\n                        OTS\xe2\x80\x99s headquarters officials stated that even though there are no\n                        recordkeeping requirements in the regulation, the examiner may\n                        perform a review to determine if the thrift\xe2\x80\x99s is maintaining a log of\n                        information sharing requests. Also, OTS\xe2\x80\x99s headquarters officials\n                        stated that FinCEN will contact OTS if a request goes unanswered.\n                        OTS seemed satisfied with this type of control to compensate for\n                        the limited review performed by the examiners.\n\n                        Examiner Review of Compliance With CIP Requirements Was Often\n                        Limited\n\n                        We reviewed examiner workpapers concerning thrift compliance\n                        with CIP provisions of the Patriot Act and discussed testing\n                        performed with examiners. We found that examiner tests were\n                        frequently limited. We question whether examiners performing\n                        these limited examinations could ensure thrift compliance with CIP\n                        provisions.\n\n                        We found in the most recent examinations of 55 thrifts, examiners\n                        were reviewing only whether the thrift had written CIP policies and\n                        procedures and not, as required by the BSA regulations,23 to\n                        determine whether the thrift maintained records of the information\n                        used to verify customer identities.24 For these thrifts, we did not\n                        see evidence that the examiner had evaluated thrift compliance\n                        with this provision by doing transaction testing or had evaluated\n                        independent audit work associated with CIP. We did find, however,\n                        that CIP transaction testing was performed for 28 thrifts. Also,\n\n\n23\n     31 CFR 103.121.\n24\n     FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, (June 2005).\n\n\n                        TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 18\n                        Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       examiners reviewed independent audit work for CIP for another 12\n                       thrifts.\n\n                       OTS\xe2\x80\x99s headquarters officials stated that the examiner evaluates the\n                       risk based on the thrift\xe2\x80\x99s business activity and makes a judgment of\n                       whether to test the thrift\xe2\x80\x99s CIP records. The question remains,\n                       however, as to how an examiner can ensure compliance with the\n                       provisions of the CIP regulation if the examiner does not perform a\n                       review of the thrift\xe2\x80\x99s records.\n\n                       Examiners Relied on Thrift Assurances About Customers and Did\n                       Not Review Customer Activity That Posed a Potential Risk\n\n                       We found in the most recent examinations in our sample of 95\n                       thrifts that examiners did not perform certain tests to review thrift\n                       monitoring of customer accounts for suspicious activity. As shown\n                       in table 2, for 11 thrifts the tests were not performed because the\n                       thrifts claimed that they knew their customers. For 7 other thrifts,\n                       the examiners were uncertain about CDD requirements.\n\n                       When we asked OTS\xe2\x80\x99s headquarters officials about an examiner\n                       not performing CDD tests because a thrift has assured an examiner\n                       that it knows its customers, the officials said that in that case a\n                       review of CDD is not always necessary. OTS\xe2\x80\x99s headquarters\n                       officials stated that Section 312 of the Patriot Act and its\n                       accompanying regulations25 refer to CDD requirements for\n                       correspondent accounts for foreign financial institutions and private\n                       banking accounts for non-U.S. persons. OTS officials also said that\n                       correspondent for foreign financial institutions and private banking\n                       accounts for non-U.S. persons were not common account activities\n                       to thrift charters.\n\n                       OTS officials are correct in their interpretation of Patriot Act\n                       requirements. However, though not a regulatory requirement, the\n                       FFIEC manual, which reflects the best judgment of the five federal\n                       banking agencies and FinCEN, states that the cornerstone of a\n                       strong BSA/AML compliance program is the adoption and\n                       implementation of comprehensive CDD policies, procedures, and\n                       processes for all customers, particularly those that present a high\n\n\n25\n     31 CFR 103.176, 31 CFR 103.177, 31 CFR 103.178, and 31 CFR 103.181.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 19\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0crisk for money laundering and terrorist financing. The manual goes\non to state that the objective of CDD should be to enable the bank\nto predict with relative certainty the types of transactions in which\na customer is likely to engage. Moreover, these types of processes\nassist the financial institution in determining when transactions are\npotentially suspicious. We used this more expansive requirement in\nassessing the CDD examinations conducted by OTS examiners.\nFurther, we found thrifts in our sample with potentially risky\ncustomers, including MSBs and foreign individuals and businesses.\n\nWhen we asked OTS\xe2\x80\x99s headquarters officials about possible\nconfusion among examiners about CDD and its requirements, as\nhappened in the examinations of 7 thrifts in our sample, they said\nthey are aware that certain examiners do not fully understand CDD\nrequirements and how it is distinguished from CIP, and intend to\ncorrect the problem. Several of the examiners told us they had not\nperformed a CDD review in these cases because of uncertainty as\nto the requirements. Other examiners referred to such procedures\nas CIP, which is the process by which a thrift verifies customers\xe2\x80\x99\nidentities when they open accounts. In addition, OTS\xe2\x80\x99s\nheadquarters officials stated that if the thrift has assured the\nexaminer through independent testing and internal control results\nthat CDD is commensurate with a known customer risk profile,\ntransaction testing may not be warranted.\n\nExamples in which the examiners, despite potential risk, did not\nreview the thrift\xe2\x80\x99s CDD follow below.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 20\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c\xe2\x80\xa2   The examiner of one thrift said CDD was covered when he\n    reviewed the thrift\xe2\x80\x99s CIP program. Despite the risk of many\n    foreign individual and business depositors, the examiner\n    reviewed only the account opening records of these depositors\n    to ensure that the thrift obtained all of the required information.\n    This examiner also documented in the ROE that he reviewed the\n    procedures followed by the thrift to determine if these\n    customers were on any list of known or suspected terrorists or\n    terrorist organizations. However, the examiner said he did not\n    take this review a step further, contrary to FFIEC BSA/AML\n    manual guidance, to determine if the thrift was conducting\n    ongoing monitoring of potentially high risk transactions.\n\n\xe2\x80\xa2   An examiner found that another thrift was not conducting due\n    diligence for its MSB customers\xe2\x80\x99 accounts for unusual or\n    suspicious activity. When we asked why this was not cited in\n    the ROE, the examiner said that at the time of this 2005\n    examination, OTS was allowing thrifts time to develop their\n    CDD programs. Although the CDD regulations had been in\n    effect since 2002, the examiner said that it was not until June\n    2005, when the FFIEC BSA/AML manual was issued, that\n    guidance existed regarding what the CDD program required. The\n    examiner added that prior to this guidance, OTS examiners\n    focused on a thrift\xe2\x80\x99s ongoing monitoring of high risk accounts\n    for CTR reporting purposes and not suspicious activity.\n\nBy way of contrast, however, other OTS examiners we interviewed\nwell understood CDD requirements, and appropriately identified\nprogram weaknesses during their examinations, as shown below.\n\n\xe2\x80\xa2   One examiner documented in an examination that the thrift was\n    performing appropriate CDD. The examiner reported that when\n    concerns or patterns of unusual transactions are noted, the\n    thrift\xe2\x80\x99s compliance officer is contacted to obtain additional\n    information from the customer regarding this activity. The thrift\n    conducts transaction analysis over time to monitor for unusual\n    activity. The thrift also closed a customer account as soon as it\n    was unable to verify data that was provided by the customer\n    for a questionable transaction.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 21\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       \xe2\x80\xa2   In another examination, the examiner found that an institution\n                           was not monitoring its high-risk accounts and that proper CDD\n                           was not performed. The examiner noted that management had\n                           just begun to review all of the past deposit history of the\n                           borrowers to identify unusual transactions. The examiner\n                           documented that the thrift\xe2\x80\x99s high-risk accounts, which were\n                           MSBs as noted in the thrift\xe2\x80\x99s risk assessment, had not been\n                           interviewed or visited to determine the extent of their business\n                           and the products and services they offered.\n\n                       \xe2\x80\xa2   A similar concern was found by an examiner when he found\n                           that the thrift was not reviewing customer account activity. The\n                           examiner found that the thrift needed to establish customer\n                           profile forms on all customers exhibiting higher anti-money\n                           laundering or terrorist risk characteristics, based on the thrift\xe2\x80\x99s\n                           risk analysis, and review the transactions of these customers\n                           for unusual activity.\n\n                       Dual Controls and Separation of Duties Were Not an Examiner\n                       Concern at Some Thrifts\n\n                       OTS\xe2\x80\x99s guidance26 and the 2005 FFIEC BSA/AML provide guidance\n                       to examiners about what constitutes good internal control in a\n                       thrift\xe2\x80\x99s BSA compliance program. The manual states that a thrift\xe2\x80\x99s\n                       BSA compliance program should provide policies, procedures, and\n                       processes for dual controls and segregation of duties. The manual\n                       also states that employees who complete reporting forms, such as\n                       SARs and CTRs, should not be responsible for filing the reports\n                       with Treasury.\n\n                       The purpose of these controls is to allow the thrift to objectively\n                       monitor compliance with its BSA program independently from\n                       performing the procedures. This is a means of deterring\n                       circumvention of controls and allows the thrift to appropriately\n                       evaluate the effectiveness of its program.\n\n                       We found examinations conducted for 8 of the 95 sampled thrifts\n                       in which the examiners did not discuss steps that the thrift had\n                       taken or could take to mitigate risk caused by the lack of\n\n\n26\n     OTS\xe2\x80\x99s Compliance Self Assessment Guide, (December 2002).\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 22\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cseparation of duties. In these cases, the examiners noted instances\nwhere the thrifts had not established fully independent positions or\nfunctions, yet the examiners did not address compensating\ncontrols, such as an adequate independent audit function, that\ncould allow these situations to be deemed acceptable. For example,\nin a Southeast thrift, the senior vice president served as both the\nthrift\xe2\x80\x99s internal auditor and compliance officer. The examiner only\nreported in the ROE that the combined function of the internal\nauditor, who is responsible for independently testing all thrift\ndepartments, and compliance officer, who is responsible for\ncompliance with all programs (including lending, retail operations,\nBSA/AML, and fair lending), was becoming increasingly demanding\nas the thrift continued to grow and establish offices in other areas.\nThis same thrift also had another separation of duties issue\nbecause the thrift\xe2\x80\x99s BSA officer, who is responsible for thrift\nBSA/AML compliance, was filing SARs.\n\nWhen we discussed our concerns with OTS\xe2\x80\x99s headquarters\nofficials, they stated that the examiners would be concerned only if\nthe compliance officer was the same person as the BSA officer. If\nnot, then examiners would not be concerned if, for example, the\ncompliance officer also audited the BSA function at the thrift.\nHowever, they agreed that a compliance officer performing a BSA-\nrelated function, such as filing CTRs, would not be appropriate. If a\nBSA officer performs both a monitoring and filing procedure\nfunction such as for CTRs, however, OTS headquarters officials\nstated that this situation does not create a heightened risk of\nBSA/AML noncompliance and possible money laundering or\nterrorist financing, if it occurs at a small, low-risk community thrift\nwith limited resources.\n\nNonetheless, we found cases in each of OTS\xe2\x80\x99s regions in which the\nexaminers did not always raise a concern when a thrift\xe2\x80\x99s\ncompliance officer or BSA officer also performed day-to-day BSA\nfunctions or if the compliance officer was the same person as the\nBSA officer. For example:\n\n\xe2\x80\xa2   A Northeast examiner noted that a thrift vice president\n    conducted BSA-related reviews, such as monitoring large cash\n    transaction reports for the filing of CTRs and SARs, and also\n    submitted CTRs and SARs for processing. While the ROE stated\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 23\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c    that adequate policies and procedures were in place to ensure\n    that business was being conducted in a sound manner, we\n    could not identify any additional testing performed to reach this\n    conclusion.\n\n\xe2\x80\xa2   A Southeast region examiner found that the BSA officer was\n    responsible for filing SARs and that all employees of the thrift\n    were to report suspicious activity to the BSA officer. The BSA\n    officer also processed the thrift\xe2\x80\x99s wire transfers. No explanation\n    was provided in the ROE of how the risk posed by these\n    incompatible duties was mitigated.\n\n\xe2\x80\xa2   In a Midwest examination, the institution\xe2\x80\x99s vice president\n    functioned as both the BSA officer and the compliance officer.\n    The examiner reported that this individual performed in-house\n    monitoring of the institution\xe2\x80\x99s BSA program and reported the\n    results of this work to the thrift\xe2\x80\x99s board for review or action.\n\n\xe2\x80\xa2   For a West region thrift, the examiner reported that the thrift\xe2\x80\x99s\n    internal auditor was responsible for filing SARs. The examiner,\n    however, did not note this as a problem or identify how the\n    thrift mitigated the resulting risk.\n\nExaminers Generally Did Not Document Evidence of Review for\nSpecific BSA Compliance Areas\n\nFor all 95 thrifts in our sample, we found that OTS examiners did\nnot document that one or more BSA compliance areas had been\ncovered during the most recent examination. In these cases we did\nnot see documentation of work performed, or of the examiner\xe2\x80\x99s\njudgment whether a review of these BSA compliance areas was\nwarranted.\n\nOTS\xe2\x80\x99s November 2004 written guidance states that an examiner\nshould document in the workpapers the judgments made during\nexaminations and the basis for selecting areas to review. This\nguidance also states that the effectiveness of OTS\xe2\x80\x99s examination\nprocess is in part reflected in the adequacy of workpaper\ndocumentation. Because the most recent examinations were\nconducted in 2005 and 2006, this guidance applied.\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 24\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cWhen establishing the scope of the BSA examination, OTS\xe2\x80\x99s\nguidance states that the examiner should consider the risks based\non the thrift\xe2\x80\x99s operations, the quality of management, and the\nability of management and the board to monitor risk and take\naction to remedy problems. Based on this assessment, the\nexaminer determines the appropriate areas to review and the\nexamination procedures to use. In our review, we looked for\nevidence that the examiner made this assessment and, either\ndocumented the results of examination for critical BSA program\nareas or provided rationale for not examining these areas.\nSpecifically, we looked for whether the examiner assessed the risk\nat the institution either informally in workpaper documentation or\nthrough a formal risk assessment prepared by the thrift or the\nexaminer. When we found no evidence in the examination\nworkpapers that certain assessments were made, we interviewed\nthe examiners about the circumstances and the rationale examiners\nused to justify the lack of documentation for certain procedures.\n\nHaving examiners document these assessments has been more\nrecently emphasized in the FFIEC manual. When first issued in\n2005, the FFIEC BSA/AML manual did not address examination\ndocumentation. However, the 2006 and 2007 updates to the\nmanual state that examination workpapers should be prepared in\nsufficient detail to support issues in the ROE. Additionally, for\nthose findings not discussed in the ROE, the examiner should\nensure that the workpapers thoroughly and adequately document\neach review as well as aspects of the institution\xe2\x80\x99s BSA compliance\nprogram that merit attention. The manual now also states that in\nformulating conclusions for the BSA examination, all relevant\ndeterminations should be documented and explained.\n\nThe areas of BSA compliance most frequently not addressed by the\nexaminers for the 95 sample thrifts were: (1) electronic banking\nactivities, specifically Internet banking (67 thrifts); (2) business\nrelations with MSBs (57 thrifts); and (3) lending activities (47\nthrifts).\n\nTable 5 presents the number of thrifts in which specific BSA\nexamination areas showed no evidence of review during the most\nrecent examination.\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 25\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cTable 3: BSA Compliance Areas for Which Workpapers Lacked Evidence\n         of Review in the Most Recent Examination\n\n Review area                Northeast   Southeast   Midwest      West   Totals\n Number of thrifts in our\n                                  37          20         20       18       95\n sample\n Electronic banking               32            6        17       12       67\n Money service\n                                  33            5        12        7       57\n businesses\n Lending activities               33            3         7        4       47\n Customer due diligence           12            3        10        4       29\n Currency transaction\n                                  15            3          2       1       21\n reporting exemption\n Purchase and sale of\n                                   9            2          3       4       18\n monetary instruments\n Risk assessment                   8            2          1       1       12\n Review of prior BSA\n                                   6            0          1       0        7\n examination\n Funds transfers                   5            0          1       1        7\n Independent testing               4            0          0       0        4\n Information sharing               2            0          0       2        4\n Written BSA program               2            0          0       0        2\n Suspicious activity\n                                   1            0          0       0        1\n reporting\n Internal controls                 1            0          0       0        1\n BSA officer                       1            0          0       0        1\n BSA training                      1            0          0       0        1\n Currency transaction\n                                   1            0          0       0        1\n reporting\n Customer identification\n                                   0            0          0       0        0\n program\n\nSource: OIG review of OTS BSA examination workpapers and ROEs.\n\n\nFor many of these thrifts, the examination workpapers for the prior\nexamination also lacked evidence that certain BSA compliance\nareas had been reviewed in the prior examination. For example, we\nfound no evidence that electronic banking had been reviewed for\n53 thrifts during two consecutive examinations. This was also the\ncase for 48 thrifts with respect to their business relationships with\nMSBs and 35 thrifts with respect to their lending activities.\n\nIn response to our inquiries about why documentation was not\navailable to show that procedures for assessing BSA compliance\nhad been performed, the OTS examiners and regional management\nofficials provided the following explanations:\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 26\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c\xe2\x80\xa2   Examination documentation was not prepared when examiners\n    did not find exceptions. We were told by a number of examiners\n    and their manager, particularly in the Northeast region, that\n    examiners were expected to \xe2\x80\x9cdocument by exception.\xe2\x80\x9d\n    Therefore, if an examiner did not find a problem in an area,\n    there may not be any documentation of examination of that\n    area in the workpapers. When we asked the examiners about\n    the examinations for those areas lacking documentation, they\n    primarily relied on memory to tell us if procedures were\n    performed and whether they did not document the results of\n    their work because no problems existed. In these cases, we\n    could not assess the accuracy of these explanations because no\n    documentation existed to verify them.\n\n\xe2\x80\xa2   The thrift did not have certain types of accounts to warrant the\n    tests. According to some examiners, if a thrift did not have any\n    activity in a particular area or a particular type of account, the\n    review of that area was probably not documented in the\n    workpapers. Without documentation, however, the examiners\n    who provided this explanation were relying on their own\n    recollections of thrift business at the time of the BSA\n    examinations.\n\n\xe2\x80\xa2   A risk assessment was not available. Although a thrift is not\n    required to prepare a risk assessment, the 2005 FFIEC manual\n    recommends that the thrift prepare a risk assessment, and if the\n    institution has not, the examiner must prepare one. With or\n    without a documented thrift risk assessment, to scope the BSA\n    examination, examiners need to assess the thrift\xe2\x80\x99s level of\n    BSA/AML risk. For 12 sampled thrifts, we did not find evidence\n    that the examiner had assessed risk at the institution in order to\n    scope the BSA examination.\n\n\xe2\x80\xa2   Examiners \xe2\x80\x9cwaived\xe2\x80\x9d procedures because the thrift said it knew\n    its customers. As discussed earlier, because of a thrift\xe2\x80\x99s smaller\n    size, the examiners often accepted without evidence that the\n    thrift knew its customers and, as a result, waived review of the\n    thrift\xe2\x80\x99s CDD program.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 27\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c\xe2\x80\xa2   Examiners lacked an understanding of certain requirements. As\n    discussed earlier, some examiners did not know the difference\n    between CDD and CIP.\n\nOTS\xe2\x80\x99s headquarters officials stated that examiners are not required\nto document areas reviewed unless there are adverse findings, and\nquestioned the need for detailed documentation of non-applicable\nareas. They said documenting why particular examination\nprocedures did not apply to a thrift would significantly increase\nexamination time and burden on the industry.\n\nBecause of our concern with the lack of evidence with electronic\nbanking and the fact that Internet banking (a major component of\nelectronic banking) is becoming a more common way of doing\nbanking business for many customers and carries with it a certain\namount of risk, we decided to look more closely at examiner\nreviews in this area. We noted the following:\n\n\xe2\x80\xa2   In the Northeast region, few thrifts in our sample were identified\n    as having Internet banking. For those thrifts which did have\n    Internet banking, no additional work was done in the BSA\n    examination to evaluate online transactions.\n\n\xe2\x80\xa2   In the Southeast region, the examination documentation for 13\n    thrifts in our sample contained no evidence that the examiner\n    reviewed the thrift\xe2\x80\x99s Internet banking services. Of these, 6\n    thrifts had examinations conducted using the FFIEC examination\n    procedures, which required that a risk profile be prepared and\n    the risk associated with electronic banking be identified by the\n    thrift. For all of the 6 thrifts, the examiners did not recall the\n    work that was performed because the workpapers lacked\n    documentation.\n\n\xe2\x80\xa2   In the West region, the examiner noted in the examination\n    program of one sampled thrift that electronic banking was a\n    high risk business line. However, we did not find evidence in\n    the examination documentation that work was performed to\n    review the thrift\xe2\x80\x99s use of electronic banking for customer\n    transactions.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 28\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       We asked examiners whether they reviewed electronic banking in\n                       those cases in which we did not see supporting documentation. In\n                       general the examiners said they thought electronic banking was\n                       more of a risk if the thrift allowed customers to open accounts\n                       online. If a bank did not allow accounts to be opened online but\n                       only allowed customers to do online transactions once a\n                       customer\xe2\x80\x99s account was opened, the examiners believed that these\n                       transactions would be subject to the thrift\xe2\x80\x99s BSA compliance\n                       program controls and did not represent the same risk for the thrift.\n\n                       Although OTS\xe2\x80\x99s information technology group27 examines the\n                       authentication processes at thrifts,28 we found that the information\n                       technology examiners did not routinely share the results of their\n                       examinations with compliance examiners. For example, in a\n                       Southeast region examination, we found that the information\n                       technology examiner who reviewed these controls at the thrift did\n                       not coordinate with the examiners conducting the BSA examination\n                       to determine the impact of a problem with the thrift\xe2\x80\x99s electronic\n                       banking authentication controls on the thrift\xe2\x80\x99s CIP program. OTS\xe2\x80\x99s\n                       examiners who conducted the information technology exam\n                       considered the problem to be a concern for fraud or identity theft\n                       but not CIP. We received a similar response from OTS\xe2\x80\x99s\n                       headquarter officials who stated that although Internet banking is a\n                       high risk area and would generally warrant a review, they believed\n                       that this was more of an identity theft or fraud concern, and did\n                       not believe that there was a link between information technology\n                       issues such as authentication controls and CIP.\n\n                       OTS\xe2\x80\x99s headquarters officials stated that information technology\n                       reviews do not focus on whether controls are adequate to\n                       reasonably protect the bank from money laundering and terrorist\n\n27\n   OTS\xe2\x80\x99s information technology examiners review technology risks and controls at thrifts that have\ncomplex operations and activities. Regional managers determine whether to assign an information\ntechnology examiner based on factors such as the volume and type of internal processing conducted\nand use of complex applications, systems networks, or equipment. When scoping a thrift\xe2\x80\x99s examination,\nthe examiner-in-charge is to consult with the regional information technology examination manager\nregarding these concerns.\n28\n   OTS issued a memorandum to chief executive officers of thrifts on the subject of authentication in an\nInternet banking environment. In this guidance, OTS states the need for thrifts to do risk-based\nassessments, customer awareness, and implement security measures to validate customers accessing\nthrifts\xe2\x80\x99 Internet-based services. OTS also states that examinations of thrifts are to include a review of\nthe authentication methods and controls as they relate to this guidance.\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 29\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cfinancing but that reviews of authentication methods and controls\nfor Internet-based services generally focus on the need for risk-\nbased assessments, customer awareness, and security measures\nsuch as password controls. We believe that even if the information\nshared from these examinations is limited, it is still of value to the\nexaminer who is assessing authentication controls that are relied\nupon to satisfy customer identification requirements for new\naccounts opened online.\n\nOTS Quality Assurance Reviews Found the Need for Examiners to\nImprove Their BSA Examinations\n\nOTS regional officials conduct periodic quality assurance reviews of\ntheir examination programs to assess examiner compliance with\nexamination guidance, including the BSA compliance program.\nThese reviews are conducted annually for a sample of\nexaminations.\n\nWe reviewed BSA quality assurance reviews OTS performed in\n2005 for each of the regions because these were the most current\nset of quality control reviews at the time of our review. We found\nthat the scope of the quality assurance reviews included a review\nof examiner workpaper documentation and the reporting of findings\nin the ROEs and ECEF.\n\nWe found that 3 of the 4 regions identified aspects of the BSA\nexamination program needing improvement, as follows:\n\n   \xe2\x80\xa2   In the Northeast, a January 2006 quality assurance review\n       report identified the need for documentation improvements.\n       The report suggested that examiners be provided examples\n       of workpapers that thoroughly documented areas reviewed\n       and conclusions reached to improve the quality of\n       examination documentation by regional examiners. The\n       report recommended that any violations corrected during the\n       review period or during the examination be reported on the\n       violations page of the ROE and in OTS\xe2\x80\x99s examination\n       system.\n\n   \xe2\x80\xa2   In the Midwest, a December 2005 quality assurance review\n       report suggested that the region remind examiners to\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 30\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                   document decisions about the scope of their work and the\n                   basis for selecting (and not selecting) certain procedures for\n                   review and specific transactions for testing. The report also\n                   said examiners should be reminded about the requirement to\n                   conduct transaction testing during each examination.\n\n               \xe2\x80\xa2   In the Southeast, a January 2006 quality assurance review\n                   report recommended that the region improve the processes\n                   for issuing and communicating new guidance to its staff in a\n                   more efficient, uniform, and timely manner. The report noted\n                   that examiners within the region had been inconsistent in\n                   their examinations, following different versions of BSA\n                   examination program guidance that had been available within\n                   the region at the time. The report also noted that some\n                   examiners did not adopt the procedures in the FFIEC\n                   BSA/AML manual until October 2005 although the manual\n                   was issued in June 2005 and was adopted by OTS effective\n                   mid-July 2005. Additionally, the quality assurance reviewers\n                   found that compliance examiners did not consistently index\n                   draft ROEs to the supporting workpapers, and recommended\n                   that this be required of all staff.\n\n            We could not determine whether these quality reviews had been\n            effective in improving examination quality. The reviews were too\n            close to the dates of the examinations in our sample for us to\n            observe an effect.\n\nFinding 2   OTS Examiners Did Not Consistently Cite a Violation\n            When Written BSA Program Elements Were Missing\n\n            OTS examiners found that elements were missing in the written\n            programs for 28 thrifts. The examiners reported the missing\n            elements as BSA violations for 17 thrifts in accordance with OTS\n            guidance and the BSA regulations. However, for 11 thrifts with\n            similar findings, the examiners only made suggestions or\n            recommendations to the thrifts to improve their BSA programs. The\n            matters were not cited as BSA violations. It is important for an\n            OTS examiner to cite these deficiencies as BSA violations so that\n            the thrift is made aware that immediate corrective action is\n            needed, and to set the stage for possible future enforcement action\n            in case the thrift does not address the violation.\n\n            TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 31\n            Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                      Regulations Require Thrifts to Have a Written BSA Compliance\n                      Program\n\n                      Thrifts are required to establish and maintain procedures reasonably\n                      designed to assure and monitor compliance with BSA.29\n                      Specifically, each thrift is to have a written BSA program that is\n                      approved by the thrift\xe2\x80\x99s board, and these procedures are used by\n                      the thrift\xe2\x80\x99s staff on a day to day basis to implement the program.\n                      The BSA compliance program is to include, at a minimum, a\n                      system of internal controls to assure ongoing compliance, provide\n                      for independent testing for compliance by in-house personnel or an\n                      outside party, designate an individual responsible for coordinating\n                      and monitoring day-to-day compliance, and provide training for\n                      appropriate personnel. The thrift is also required to have a written\n                      CIP program.\n\n                      Guidance for Citing Violations for Missing Elements of a Thrift\xe2\x80\x99s\n                      Written BSA Program\n\n                      OTS guidance issued in April 200430 states that as a fundamental\n                      BSA regulation thrifts are required to have a written program that\n                      works effectively. Therefore, according to the guidance, a thrift is\n                      in violation of the regulation when it has no written program, when\n                      the written program is missing necessary elements, or when the\n                      written program is adequate but not being followed. The guidance\n                      provides that when a written program exists but lacks elements\n                      required by regulation, the examiner is to record a violation for\n                      each missing or inadequate element.\n\n                      Violations that are determined to be substantive are to be reported\n                      in the ROE. According to OTS instructions, examiners are to\n                      consider a thrift\xe2\x80\x99s overall record when determining if a violation is\n                      substantive.31 The following specific factors are to be considered:\n                      (1) the severity of the violation, (2) the time span of the violation,\n                      (3) whether the violation is widespread or isolated, (4) whether the\n                      violation is systemic, (5) related findings on prior exams, and\n\n29\n   12 C.F.R. 563.177.\n30\n   OTS, New Directions Bulletin 04-05, Bank Secrecy Act and Anti-Money Laundering Programs (Apr. 5,\n2004).\n31\n   OTS, Report of Examination Instructions (November 2004).\n\n                      TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 32\n                      Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                        (6) the risk profile of the association. To be considered a repeat\n                        substantive violation, OTS must have previously brought it to the\n                        thrift's attention in the ROE, in a discussion with management, or\n                        by other means. Substantive violations are to be reported in the\n                        ROE and in ECEF. All \xe2\x80\x9ctechnical\xe2\x80\x9d violations32 are to be noted in the\n                        workpapers and listed in the ECEF. Examiners are to discuss\n                        technical violations with management. Recommendations made to\n                        thrifts to enhance their BSA program or policy are generally not\n                        included in the ECEF and may or may not be included in the ROE.\n\n                        The FFIEC BSA/AML manual provides information on the\n                        requirements for the thrift\xe2\x80\x99s BSA compliance program. The manual\n                        states, consistent with BSA statutes and regulations, that the\n                        program must be in writing, approved by the thrift\xe2\x80\x99s board of\n                        directors, and noted in the minutes of the board of directors\n                        meeting at which it was approved. In this regard, the written\n                        program cannot consist only of policy statements, and practices\n                        specified must coincide with the thrift\xe2\x80\x99s written policies,\n                        procedures, and processes. The program must provide for the\n                        following minimum requirements: (1) a system of internal controls\n                        to ensure ongoing compliance (internal controls are the thrift\xe2\x80\x99s\n                        policies, procedures, and processes designed to limit and control\n                        risks and to achieve compliance with the BSA), (2) independent\n                        testing of BSA compliance, (3) designation of an individual or\n                        individuals responsible for managing BSA compliance (i.e., the BSA\n                        compliance officer), and (4) training for appropriate personnel. In\n                        addition, CIP must be included as part of the BSA compliance\n                        program.\n\n                        If examination findings are not properly recorded as violations, they\n                        are not entered into the ECEF for future corrective action and\n                        review in subsequent BSA examinations. If OTS finds that the thrift\n                        fails to take corrective action and the thrift continues to be\n                        noncompliant, properly recording the violations provides OTS with\n                        a sound basis for appropriate enforcement action.\n\n\n\n\n32\n  A technical violation is one that does not rise to the level of substantive. Per OTS guidance, an\nexample of a technical violation would be the failure of the thrift to completely or correctly fill out a\nBSA form in an isolated instance.\n\n                        TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 33\n                        Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c   Missing BSA Program Written Elements Were Not Consistently\n   Treated as Violations\n\n   When OTS examiners found incomplete written BSA programs,\n   these findings were not always treated as violations, as OTS\xe2\x80\x99s\n   guidance and BSA regulations require. We found inconsistencies,\n   particularly among regions, regarding whether BSA requirements\n   that were not addressed in the thrifts\xe2\x80\x99 written BSA programs were\n   reported as violations.\n\n   We found that the Northeast consistently cited incomplete written\n   BSA programs as violations. In contrast, the Southeast region did\n   not. We also found that the Midwest region was inconsistent in its\n   reporting of this type of deficiency, sometimes citing a violation\n   and sometimes not.\n\n   Table 6 below summarizes the number of thrifts by region which\n   were missing at least one element of the written BSA program and\n   the number of thrifts cited with a violation.\n\n   Table 4: Thrifts With One or More Missing Elements in Their BSA Program\n\n                                                                     Number of Thrifts\n                     Number of Thrifts With    Number of Thrifts        Not Cited for\nOTS Region                 This Deficiency     Cited for Violation          Violation\nNortheast                                 9                     9                   0\nSoutheast                                 5                     0                   5\nMidwest                                  12                     7                   5\nWest                                      2                     1                   1\nTotals                                   28                    17                  11\n\n   Source: OIG review of OTS BSA examination workpapers and ROEs.\n\n\n   We observed the following with respect to how missing BSA\n   written program elements were treated by the regions:\n\n    \xe2\x80\xa2   In the Northeast region, one thrift was cited with a violation\n        because the thrift needed to revise its written BSA program to\n        include certain CIP program requirements and address\n        monetary instrument sales and wire transfers. Another thrift in\n        the region was cited with a violation for a written BSA\n\n\n\n   TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 34\n   Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c     program that also did not include complete CIP procedures,\n     and CTR exemption procedures.\n\n \xe2\x80\xa2   The Southeast region, on the other hand, did not cite a\n     violation for 5 thrifts although they were missing one or more\n     parts of the following required elements in their written BSA\n     compliance programs: independent testing, BSA training, CIP,\n     314(a) information sharing, filing CTRs, CTR exemptions, and\n     filing SARs.\n\n \xe2\x80\xa2   The Midwest region cited a violation for 7 thrifts for missing\n     one or more parts of the written BSA program, including\n     internal controls, independent testing, BSA training, CIP, and\n     others. Three thrifts were cited in violation when only a single\n     element was missing for their BSA program. The region,\n     however, did not cite violations at 3 other thrifts for similar\n     missing BSA written program elements.\n\nRegional officials we interviewed often took the position that the\nmissing elements in the thrifts\xe2\x80\x99 written BSA programs did not\nconstitute violations because the examiners had made a judgment\nthat the deficiency had little impact on the thrifts\xe2\x80\x99 otherwise\nappropriate implementation of internal controls, designation of a\nBSA officer, independent testing, and BSA training. In addition,\nregional officials said that the examiners also considered if the\nmissing element in the written BSA program was a legal or\nregulatory requirement or an item that would enhance existing\ninternal controls. We found that these determinations were\ngenerally not documented in the examination workpapers. Both of\nthese explanations, however, disregard the fact that there is a\nrequirement for the thrift to have a complete written BSA program,\nand that the thrift\xe2\x80\x99s practices must coincide with these written\npolicies, procedures, and processes.\n\nTwo Regions Are Using Exception Sheets to Document\nExamination Results\n\nWhile not required by OTS guidance, we found that two regions,\nthe Midwest and Southeast regions, documented examination\nfindings on exception sheets, which made it easier to trace\nexamination findings from the workpapers to the ECEF and ROE.\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 35\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c           Each examination finding appeared on a separate sheet, on which\n           the examiner noted the area in which the finding was made,\n           specifically indicated if the finding represented a violation, and\n           described the finding. The documentation indicated the thrift\xe2\x80\x99s\n           response and any corrective action to be taken.\n\n           The Northeast and West regions did not use these forms. We had\n           to interview examiners and review related workpapers to identify\n           examination findings, and whether they were considered of\n           sufficient severity to rise to the level of a regulatory violation.\n           These factors dictate whether the results are to be reported in the\n           ECEF or ROE.\n\n\nRecommendations\n           We recommend the OTS Director do the following:\n\n           1. Reinforce the need for examiners to adhere to existing BSA\n              examination related guidance, and assess if it is necessary to\n              provide supplemental guidance and training to ensure\n              examination consistency and documentation of examinations.\n\n              Management Response\n\n              OTS will reinforce the need for examiners to adhere to existing\n              BSA examination guidance and assess whether supplemental\n              guidance is needed. OTS also provides on-going BSA training to\n              examiners in internal and external conferences, meetings and\n              examiner schools. These BSA/Patriot Act discussions are made\n              in Compliance I, Compliance II, and Advanced Compliance\n              Examiner Schools.\n\n              OIG Comments\n\n              OTS\xe2\x80\x99s plan to reinforce existing BSA examination guidance and\n              assess the need for reinforcing guidance satisfies the intent of\n              our recommendation.\n\n           2. For thrifts that offer electronic banking services, have\n              compliance examiners consult with examiners performing\n\n\n           TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 36\n           Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c   information technology examinations to determine if there are\n   additional BSA-related risks.\n\n   Management Response\n\n   OTS will implement a process to ensure compliance examiners\n   consult with information technology examiners to determine if\n   there are BSA-related risks at particular institutions.\n\n   OIG Comments\n\n   OTS\xe2\x80\x99s plans to implement such a process, once done, satisfies\n   the intent of our recommendation.\n\n3. Provide guidance to examiners to ensure that they consistently\n   cite thrifts for violations when written BSA programs are\n   missing required elements.\n\n   Management Response\n\n   OTS is working with other federal banking agencies to issue\n   interagency guidance on BSA violations to ensure consistency\n   among the federal banking agencies when citing violations. In\n   addition, OTS is enhancing an existing program in which\n   managers based in Washington, D.C. and regional offices will\n   discuss BSA/AML violations also in an effort to promote\n   consistent citing of violations in lieu of this pending guidance.\n\n   OIG Comments\n\n   OTS\xe2\x80\x99s participation with other banking agencies to issue the\n   interagency guidance and its effort to promote consistency in\n   citing violations is responsive to the recommendation. Once the\n   interagency guidance is issued, OTS will need to assess its\n   impact on current policies, procedures, and training.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 37\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                                 ******\n\nWe would like to extend our appreciation to OTS for the\ncooperation and courtesies extended to our staff during the audit.\nIf you have any questions, please contact me at (617) 223-8640 or\nSharon Torosian, Audit Manager, at (617) 223-8642. Major\ncontributors are listed in appendix 3.\n\n\n/s/\nDonald P. Benson\nAudit Director\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 38\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c                       Appendix 1\n                       Objective, Scope, and Methodology\n\n\n\n\n                       The objective of the audit was to determine whether the Office of\n                       Thrift Supervision\xe2\x80\x99s (OTS) examination coverage was adequate to\n                       ensure compliance with the Bank Secrecy Act (BSA) and USA\n                       PATRIOT Act (the Patriot Act). We also reviewed how OTS\n                       reported the results of its examinations to ensure that thrifts took\n                       appropriate corrective actions for noncompliance with these laws.\n\n                       We interviewed officials at OTS headquarters and in the regional\n                       offices to obtain an overview of OTS\xe2\x80\x99s responsibilities, strategies,\n                       tracking systems, and resources dedicated to ensure compliance\n                       with BSA and the Patriot Act by OTS-regulated thrifts.\n\n                       We reviewed applicable laws and regulations related to BSA and\n                       the Patriot Act, and OTS\xe2\x80\x99s examination and enforcement manuals,\n                       programs, and guidance. We reviewed the Federal Financial\n                       Institutions Examination Council Bank Secrecy Act/Anti-Money\n                       Laundering Manual to ensure that all provisions of BSA and the\n                       Patriot Act were addressed.\n\n                       We selected a random sample of examinations of OTS-regulated\n                       thrifts by OTS region (Northeast, Midwest, Southeast, and West).\n                       Our sample resulted in a selection of 40 thrifts in the Northeast\n                       region and reviewed the most current examinations for each,33 20\n                       examinations in the Midwest region, 20 examinations in the\n                       Southeast region, and 20 examinations in the West region. The\n                       time period covered by these examinations was calendar years\n                       2004 through 2006.\n\n                       The asset sizes of the institutions in our sample are shown in\n                       table 5 below.\n\n\n\n\n33\n   We conducted audit survey work (which we generally do prior to initiating a full audit) in the\nNortheast region and selected 40 thrifts for review and analysis of their examinations from a listing of\nthrifts as of December 2005. During our full audit, we selected another 60 examinations, this time from\na list of examinations completed between July 2005 and July 2006. This resulted in a selection of 20\ncurrent examinations each from the Midwest, Southeast, and West regions. These examinations were\nfor 99 thrifts because our random sample of examinations for the West yielded 2 examinations for the\nsame institution.\n\n\n                       TERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 39\n                       Bank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nTable 5: Asset Size of Thrifts in BSA Examinations Sampled\n\n                                                           $500\n                                     $100         $250    million\n                                million to   million to   to less    $1 billion\n                 Less than      less than    less than      than       to less\n                     $100            $250         $500          $1    than $5     $5 billion    Total\nOTS Region          million        million      million    billion      billion   and over     Thrifts\nNortheast                13            13            6         4             3             1       40\nMidwest                   8             6            3         1             2             0       20\nSoutheast                 5             5            4         6             0             0       20\nWest                      2             2            8         4             0             3       19\nTotals                   28            26           21        15             5             4       99\nSource: OIG Analysis of OTS data.\n\nNote: Our sample had a total of 99 thrifts; however, for 3 thrifts in the Northeast, the\nstate examiners performed the most recent BSA examination, and for1 thrift in the West,\nthe current examination was limited to assessing the thrift\xe2\x80\x99s compliance with a formal\nenforcement action. We did not include these 4 thrifts in our sample and reported the\nresults of our review for 95 thrifts.\n\n\nWe also requested and reviewed the examination performed\nimmediately prior to each of the current examinations in our\nsample. This effectively doubled the number of examinations we\nreviewed to 79 in the Northeast region (one thrift had a relatively\nnew charter and OTS had not performed an earlier examination),\n40 in the Midwest region, 40 in the Southeast region, and 40 in\nthe West region. We also did not use in our analysis 3\nexaminations in the Northeast region because they were conducted\nby states under agreements with OTS for alternating examinations.\n\nWe reviewed all of OTS\xe2\x80\x99s examination workpapers, reports of\nexamination, and examination system data for the current and\nmost recent prior BSA examinations to evaluate the completeness,\ntimeliness, and reporting of the results for these BSA examinations.\nWe evaluated examination results using criteria in effect at the time\nof the examination.\n\nWe visited the Northeast region\xe2\x80\x99s satellite office in Braintree, MA,\nand regional office in Jersey City, NJ, and the Southeast region\xe2\x80\x99s\nAtlanta, GA, office. We addressed our questions and discussed\nissues regarding our sample BSA examinations with OTS\xe2\x80\x99s\nexaminers in the Northeast and Southeast regions during our visits\nand with the Midwest and West regions in telephone conference\ncalls with regional staff and examiners.\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 40\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nWe performed our audit fieldwork from January 2006 through July\n2007. We conducted our audit in accordance with generally\naccepted government auditing standards.\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 41\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 42\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 43\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 44\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 45\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 46\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\n\nSharon Torosian, Audit Manager\nTimothy F. Cargill, Auditor\nNikole A. Solomon, Auditor\nKen D. Harness, Referencer\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 47\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\nOffice of Strategic Planning and Performance Management\nOffice of Accounting and Internal Controls\n\nOffice of Thrift Supervision\n\nDirector\n\nFinancial Crimes Enforcement Network\n\nDirector\n\nOffice of Management and Budget\n\nOIG Budget Examiner\n\n\n\n\nTERRORIST FINANCING/MONEY LAUNDERING: OTS Examinations of Thrifts for Page 48\nBank Secrecy Act and Patriot Act Compliance Were Often Limited (OIG-08-034)\n\x0c"